An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Ian Young <ian AT iay.org.uk> [2014-11-14 12:37]:
> That stuff isn't going to look schema-valid unless you have the WS-*
> schema definitions available. So, it might be worth adding the
> associated schema definitions to see if that helps.

It does (as others have confirmed already), but as our documented
MetadataProvider for the Shibboleth software unfortunately contained a
"SchemaValidation" metadata filter[1] any IDP configured that way would
need to (1) aquire and then (2) learn how to add arbitrary XSD schema
files to a Shibboleth IDP install (probably adding them to the
classpath somwhere, somehow).

So for now I have opted to removing any md:RoleDescriptor elements
wholesale which takes care of that problem and doesn't remove any
other functionality we care about /at this time/.

One alternative being to filter out the "offending" entities, which at
this time are these two ADFS IDPs from SWAMID:
- http://idp.chalmers.se/adfs/services/trust
- http://fs.liu.se/adfs/services/trust

Still beats kicking out SWAMID from eduGAIN, for producing valid
(though not easily validated!) SAML metadata.

If anyone wanted to do the same, and supports XSLT for that, a copy of
pyFF's unsign.xml would do just fine, replacing "ds:Signature" with
"md:RoleDescriptor":
https://github.com/leifj/pyFF/blob/master/src/pyff/xslt/unsign.xsl
Maybe call it unadfs.xsl for now ;)
-peter

[1] https://wiki.univie.ac.at/display/federation/IDP+Metadata+configuration